Skip to content
Americans for Propriety
Menu

Brief · tech and data rights

Federal privacy law — the cause, after the bill lapsed

The American Privacy Rights Act expired without reintroduction. What the comprehensive-privacy cause still needs, what the preemption fight is actually about, and how to read the new proposals in the 119th Congress.

May 21, 2026 · 7 min read · AfP Research

The bill lapsed; the cause did not

Every Congress since 2012 has seen comprehensive federal privacy legislation introduced. None has been enacted. The patterns of failure have been consistent — disagreements about scope, preemption, enforcement, individual rights, and the political weight of the industries affected.

The American Privacy Rights Act was the most recent major proposal, and for a time it had gotten further than its predecessors: bipartisan committee versions advanced, the text was substantially negotiated, and industry, civil society, and state attorneys general engaged in detail. But the bill stalled before any floor vote, a June 2024 markup was canceled, and it expired when the 118th Congress ended. APRA was not reintroduced in the 119th Congress. There is, at present, no bill named APRA to “support.”

That does not retire the cause. The United States remains the largest economy in the world without a comprehensive federal privacy law, and the underlying need has not changed. This brief explains where the cause actually stands in May 2026, what a federal privacy law worth having must include, and how to read the proposals now circulating.

What the cause requires

The substantive goal is unchanged from the APRA era. A federal privacy law worth supporting would provide, at a minimum:

A federal floor, not a ceiling. Federal law should set a baseline of protection below which no state can fall, while leaving states free to go further. This is the single most important design question, and it is treated in its own section below.

Data minimization. Collection and use of personal data limited to what is reasonably necessary for the purpose for which it was provided, with stricter limits on sensitive data.

Individual rights. Access, correction, deletion, and portability.

Affirmative consent for sensitive data. Health, biometric, precise location, government identifiers, and similar categories treated with stricter purpose limits and opt-in consent.

A meaningful private right of action. The ability for individuals to enforce their own rights, rather than depending entirely on the resources of a single agency.

Enforcement capacity. FTC primary enforcement and state attorney general parallel enforcement, backed by staffing and authority that match the scope of the law.

The conceptual framework is the same one found in European GDPR, California’s CCPA/CPRA, and the leading state-level privacy laws. The implementation details vary; the design questions that decide whether a federal law helps or hurts are preemption and enforcement.

What the preemption fight is actually about

The recurring sticking point in federal privacy legislation is preemption — whether federal law displaces state law on the same subject matter, and to what extent.

Industry generally favors broad preemption. The patchwork of state laws that has developed in the federal vacuum imposes real compliance costs; replacing it with a single federal standard would reduce those costs even if the federal standard is no stricter than the state average.

Civil society and state-level privacy advocates generally favor a federal floor that does not preempt stronger state laws. Several state frameworks — California’s in particular — provide protections that would be lost under strict preemption. The argument: federal law should set a meaningful baseline below which states cannot fall, while allowing states to experiment with stronger protections.

State attorneys general have a specific institutional stake. State AG enforcement of state privacy laws is a significant share of all US privacy enforcement. Preemption that displaced state AG authority would centralize enforcement in the FTC — an agency with chronically constrained resources for the breadth of issues it already handles.

The honest framing is not “uniform national standard vs. messy patchwork.” A broad-preemption bill that sets a weak national standard does not deliver strong uniform protection; it delivers weak protection and removes the stronger state laws that currently exist. Trading a real patchwork for a single weak floor would leave Americans worse protected than they are today.

How to read the 119th Congress proposals

With APRA gone, new comprehensive privacy bills have appeared, and they should be read against the principles above rather than welcomed simply for existing.

The most prominent is the SECURE Data Act (H.R. 8413), introduced on April 22, 2026 by Rep. John Joyce, Vice Chairman of the House Energy and Commerce Committee. As an opening proposal it is expected to be renegotiated, but its initial posture is instructive:

  • It embraces broad preemption, displacing state laws that “relate to” its provisions — which would sweep away state comprehensive privacy laws and data-broker registries rather than set a floor beneath them.
  • It includes no private right of action, leaving enforcement to the FTC and state attorneys general only.
  • It largely tracks the state-consensus model, omitting features like mandatory data-protection impact assessments and universal opt-out mechanisms.

Other vehicles have been introduced as well. On the AfP test — a non-preemptive floor, a meaningful private right of action, real data minimization, and adequate enforcement — the SECURE Data Act as introduced falls short on the two questions that matter most. The point of advocacy now is to push any federal vehicle toward those principles, not to back a bill because it carries the word “privacy.”

What state law has achieved in the federal vacuum

Roughly twenty states now have comprehensive privacy laws in effect — California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, Iowa, Tennessee, Utah, and others, with Indiana, Kentucky, and Rhode Island joining on January 1, 2026.

California (CCPA / CPRA). The most comprehensive state framework, with a dedicated enforcement agency (the California Privacy Protection Agency) producing active enforcement.

The wider patchwork. Most other state laws are less protective than California’s, but each provides meaningful baseline rights, and several carry specific innovations — California’s Delete Act for data brokers among them — that probably would not have emerged through federal negotiation.

The patchwork’s costs and benefits. Compliance with multiple state regimes imposes real costs on businesses operating across state lines, which has produced the industry pressure for federal preemption. At the same time, state legislatures have served as a laboratory: in 2025, for the first time in five years, the pace of new state laws leveled off, a sign the field is maturing rather than still expanding. If federal legislation is enacted, its preemption scope will determine how much of this state-level work survives.

What to watch

  • The SECURE Data Act and any successor vehicles. Whether the broad-preemption posture and the absence of a private right of action are renegotiated as the bill moves.
  • State-level enforcement. California’s CPPA and state AG actions elsewhere remain the most active privacy enforcement in the country.
  • The federal preemption campaign more broadly. The same preemption fight is playing out in AI policy, where the executive branch has moved to clear state law through litigation and funding pressure; privacy is the older front in the same war.
  • FTC capacity. Whether any federal bill provides the staffing and authority an agency would need to actually enforce a comprehensive privacy regime.
  • Children’s online safety legislation. KOSA-style proposals — including the reworked KIDS Act — intersect privacy law and carry their own preemption provisions.

Bottom line

The comprehensive-privacy cause did not end when APRA lapsed; it lost its vehicle. The substantive case is unchanged: the country still needs a federal privacy law with real data minimization, meaningful individual enforcement, and adequate agency capacity. The decisive design question remains preemption — and the proposals now in front of Congress lean toward the broad-preemption, no-private-right-of-action model that would set a weak national floor while erasing stronger state protections. The work of advocacy at this stage is to insist that a federal privacy law be one worth having: a floor, not a ceiling, with enforcement that reaches the people it is meant to protect.

← All briefs